Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL 1.0.2m on 2nd November 2017 #271

Closed
rvagg opened this issue Oct 30, 2017 · 13 comments
Closed

OpenSSL 1.0.2m on 2nd November 2017 #271

rvagg opened this issue Oct 30, 2017 · 13 comments

Comments

@rvagg
Copy link
Member

rvagg commented Oct 30, 2017

Doing this here instead of in @nodejs/security since there's nothing sensitive here as far as I can tell. /cc @nodejs/security-wg

Forthcoming OpenSSL releases
============================

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.0g and 1.0.2m.

These releases will be made available on 2nd November 2017 between
approximately 1300-1700 UTC.

This is a bug-fix release. It will also include a fix for the low
severity security issue previously published here:
https://www.openssl.org/news/secadv/20170828.txt

Please also note that, as per our previous announcements, support for
1.0.1 ended on 31st December 2016.

Yours

The OpenSSL Project Team

The issue in question is:

Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
===================================================================

Severity: Low

If an X.509 certificate has a malformed IPAddressFamily extension,
OpenSSL could do a one-byte buffer overread. The most likely result
would be an erroneous display of the certificate in text format.

As this is a low severity fix, no release is being made. The fix can be
found in the source repository (1.0.2, 1.1.0, and master branches); see
https://github.com/openssl/openssl/pull/4276. This bug has been present
since 2006.

So, that's pretty low, I think the only reason this is even listed as a security problem is because it's a buffer over-read and it they're leaving open the possibility that it could be more than just an "erroneous display".

So IMO we shouldn't rush this out but we need to keep up to date with OpenSSL as much as possible to retain trust. So I guess just line this up with the closest releases.

In proposed LTS release schedule, this is going to miss v8.9.0 by 2 days and will then have to wait for a bit over a month for v8.9.1. I assume that Boron has a similar schedule to Carbon in this schedule. Are we OK with letting this dangle for a month? We'd just have to communicate it somewhere publicly.
@MylesBorins
Copy link
Contributor

MylesBorins commented Oct 30, 2017 via email

@rvagg
Copy link
Member Author

rvagg commented Oct 30, 2017

Oh lovely, this just appended to the announcement:

Correction: It will additionally include a fix for a moderate level
security issue.

No further details. So yeah, let's plan for shipping this ASAP afterward. If it were just this very-low issue then bundling with a standard release would be fine, but with this new "moderate" one and not having any details about it, we should do the usual planning for releasing within a day or two afterward. We normally tell people via nodejs-sec & the blog that we'll do an assessment after release and decide how to proceed after that. Perhaps the assessment will tell us that it's not even applicable to Node, in which case we can just bundle the upgrade with the next release.

rvagg added a commit to nodejs/nodejs.org that referenced this issue Oct 30, 2017
@rvagg
Blog: OpenSSL 1.0.2m announcement
2bbdd4c 
Ref: nodejs/Release#271
@rvagg rvagg mentioned this issue Oct 30, 2017
Closed
@rvagg
Copy link
Member Author

rvagg commented Oct 30, 2017

Proposed announcement nodejs/nodejs.org#1430, who's around to review? @MylesBorins?

@MylesBorins
Copy link
Contributor

MylesBorins commented Oct 30, 2017 via email

@rvagg
Copy link
Member Author

rvagg commented Oct 31, 2017

I'd be very confident that we won't need to act urgently on this so Friday will be the likely earliest that we need to act. My rough guess is that we may be able to defer this even until the next scheduled releases but we'll have to wait and see what the moderate is!

rvagg added a commit to nodejs/nodejs.org that referenced this issue Oct 31, 2017
@rvagg
Blog: OpenSSL 1.0.2m announcement
b387bf9 
Ref: nodejs/Release#271
@rvagg
Copy link
Member Author

rvagg commented Oct 31, 2017

Announcement has gone public. We're going to need some folks in @nodejs/crypto to help with assessment when the medium is public on Thursday. A look at CVE-2017-3735 would be helpful too and that could be done now since it's public @ openssl/openssl#4276

@rvagg rvagg mentioned this issue Oct 31, 2017
Closed
@rvagg rvagg closed this as completed Oct 31, 2017
@rvagg rvagg reopened this Oct 31, 2017
@shigeki
Copy link

shigeki commented Oct 31, 2017

A look at CVE-2017-3735 would be helpful too and that could be done now since it's public @ openssl/openssl#4276

CVE-2017-3735 fixed buffer overread in parsing X.509 certificate which supports extensions defined in RFC3779. Node disables RFC3779 support by defining OPENSSL_NO_RFC3779 as https://github.com/nodejs/node/blob/master/deps/openssl/config/archs/linux-x86_64/opensslconf.h#L32-L34 in linux-x86_64 as well as in other archs.
So I don't think that CVE-2017-3735 affects Node.

A moderated severity includes TLS client crash and it has a possibility to affect Node. I will make a security assessment as soon as it is released to see if an urgent release is needed.

@mhdawson
Copy link
Member

mhdawson commented Nov 1, 2017

@rvagg as a suggestion it would have been good to have a reference to this in the security repo. I was looking for it earlier when I saw the post to nodejs-sec and was looking in the security repo as I thought that was were it would be if we had an open issue.

@MylesBorins
Copy link
Contributor

MylesBorins commented Nov 1, 2017
edited
Loading

do we have an update on this?
edit: I just remembered it isn't thursday

@richardlau
Copy link
Member

nodejs/node#16691

@rvagg
Copy link
Member Author

rvagg commented Nov 2, 2017

Can someone give a summary of CVE-2017-3736 as it impacts Node? @shigeki? We need to decide whether rushing releases is worth it. I haven't had a look in detail yet but I'm hearing that exploits are pretty improbable.

@rvagg rvagg mentioned this issue Nov 2, 2017
Closed
4 tasks
@rvagg
Copy link
Member Author

rvagg commented Nov 2, 2017

found discussion in nodejs/security, will sync with discussion here when we come up with a proposal, thanks @MylesBorins for pointing me to that!

rvagg added a commit to nodejs/nodejs.org that referenced this issue Nov 2, 2017
@rvagg
Blog: update to OpenSSL 1.0.2m announcement
0f1cd94 
Ref: nodejs/Release#271
Ref: nodejs-private/security#155
Ref: nodejs/node#16691
@rvagg rvagg mentioned this issue Nov 2, 2017
Merged
@rvagg
Copy link
Member Author

rvagg commented Nov 2, 2017

Proposed announcement @ nodejs/nodejs.org#1443, pls review!

Summary release plan:

Due to the low impact and low severity of these fixes, we have decided not to push urgent releases of Node.js this week. Releases of all active release lines are scheduled for next Tuesday, the 7th of November and these releases will all include OpenSSL 1.0.2m along with other regular Node.js patches and additions.

rvagg added a commit to nodejs/nodejs.org that referenced this issue Nov 3, 2017
@rvagg
Blog: update to OpenSSL 1.0.2m announcement (#1443)
c92475b 
Ref: nodejs/Release#271
Ref: nodejs-private/security#155
Ref: nodejs/node#16691
@rvagg rvagg closed this as completed Nov 8, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rvagg @MylesBorins @shigeki @richardlau @mhdawson